vidar | f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174

Analysis

Target

f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
Size

772KB
MD5

9e8388274066861ecf159c212e153ec1
SHA1

6ba52b3cca249625bce6de2fdf98002b7f476cde
SHA256

f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174
SHA512

33a2a84cde6543aa464f4439d7db57e7debe6c87b7537b2b349da843b015b99cbd1d5dc70b347a6e8fcfa000652669cabc2e539748a5e127fdea72673915618c

Score

10^/10

vidar 937 stealer

Family

vidar

Version

47.9

Botnet

937

https://mas.to/@kirpich

Attributes

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmp	family_vidar
behavioral1/memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1812 964 WerFault.exe f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
1812 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1812 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1812 WerFault.exe

pid	pid_target	process	target process
1812	964	WerFault.exe	f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe

pid	process
1812	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1812	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe

description	pid	process	target process
PID 964 wrote to memory of 1812	964	f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe	WerFault.exe
PID 964 wrote to memory of 1812	964	f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe	WerFault.exe
PID 964 wrote to memory of 1812	964	f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe	WerFault.exe
PID 964 wrote to memory of 1812	964	f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
"C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964

memory/964-54-0x00000000002ED000-0x000000000036A000-memory.dmp

Filesize
500KB

Download
memory/964-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/964-56-0x00000000002ED000-0x000000000036A000-memory.dmp

Filesize
500KB

Download
memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmp

Filesize
856KB

Download
memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1812-59-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download